IntruderUserAttempts

The IntruderUserAttempts directive offers EZproxy administrators a way to stop and discourage security breaches through continued, computerized trial and error of passwords with a valid username.

When used as an event in combination with the Audit directive, the IntruderUserAttempts directive can help EZproxy administrators to identify compromised usernames and permanently remove those usernames' access to EZproxy.

IntruderUserAttempts is a position-independent config.txt directive that typically appears toward the top. This directive is used to enable intruder detection based on detecting and blocking repeated failed attempts to log in to EZproxy using the same username regardless of source IP address. You can customize the parameters that will cause a user to be blocked based on failed login attempts using the directive qualifiers in the table below.

The basic format for the IntruderUserAttempts directive is as follows:

IntruderUserAttempts -interval=5 -expires=15 10

In this example, if someone tries to log into EZproxy 10 times within a 5 minute period with a valid username and the wrong password, EZproxy will block attempts to login from this account until all such attempts have stopped for 15 minutes.

If you are contacted by a valid user who has been blocked from logging on and wishes to continue trying, you can clear IntruderUserAttempts through the /admin EZproxy administration page.

Qualifiers

The following qualifiers should be added to your IntruderUserAttempts directive to specify when to block a user who repeatedly enters the wrong password for a single username. The italicized word should be replaced with the numerical value you would like to use as a parameter.

Qualifier

Description

-interval=minutes

Number of minutes in which the count for invalid login attempts for a single username must be reached in order for EZproxy to start blocking all login attempts for the username.

-expires=minutes

Number of minutes which must pass with no further login attempts for a blocked username before EZproxy will stop blocking login attempts for that username.

count

Number of login attempts for a username using the wrong password that must occur during the -interval before EZproxy starts blocking all login attempts for that username.

Advanced Example

If you are uncertain about initial security configurations to use with the IntruderUserAttempts directive, you can begin with the following:

IntruderUserAttempts -interval=5 -expires=15 10

This will provide you with a baseline security setting that will block any user who enters the wrong password for a single username incorrectly 10 times within a 5 minute period of time. After 15 minutes, if no more attempts to log in are made with the blocked username, EZproxy will no longer block it. These are good baseline parameters to use because users legitimately forget passwords, and these timeframes and limits allow them a sufficient amount of time to test several passwords, and if they fail to enter the correct credentials in this time period, they have to wait only 15 minutes before trying again.

After this directive has been added to your config.txt file, you can monitor IntruderUserAttempts in your audit logs from your admin page by clicking on the View audit events link. You will see a table similar to the following:

Date/Time

Event

IP

Location

Username

Session

Other

11:00:17

System

Startup

11:00:17

System

Purged audit file 20140930.txt

11:00:56

Login.Success

127.0.0.1

US OH Dublin

admin

ypAvVbCo28nsw7y

11:04:00

Login.Intruder.User

123.456.789.101

US OH Dublin

baduser

ghAvILFw30lwk09

11:10:45

Login.Success

123.789.101.112

US OH Dublin

gooduser

ifJlwElwo50jkl19

12:20:00

Login.Intruder.User

123.456.789.101

US OH Dublin

baduser

poWlQJ92xjl0ad7

11:24:54

Login.Success

123.123.123.123

US OH Dublin

gooduser2

kIlwkEpoq90el8p

1:20:21

Login.Success

123.123.456.456

US OH Dublin

gooduser3

riOwLF82DjZHgnd2

Look for any events labeled Login.Intruder.User. If you see repeated blocked logins from the same username, you may first want to determine if this IP address and user is a valid user who is having difficulty understanding and logging in to you EZproxy resources. If you determine that this is not a legitimate user, you may want to consider removing this username from your user.txt file or contact your IT department to consult with them on this username.

The following directives interact with or control functions related to this directive: